Adding Exchange & OWA 2013 and 2016

This document explains how to configure Exchange 2013 and 2016 Outlook Web Access and Exchange Control Panel to support Single Sign-On from AuthAnvil.

Configuration Steps

Select Directory Manager.

Select Groups.

Select the green plus sign in the bottom right corner.

Name the Group ExchangeUsers.Note: If you have other existing Groups for SSO users you can use one of these as well.

Select ADD GROUP.

Select SSO Manager.

Select the green plus sign in the bottom right corner.

Select the Catalog Icon.

Select Exchange Control Panel.

Select Application Enabled option.

Select Protocol Setup and Update the Reply To URL value to match the FQDN of your Exchange host.Update the Audience URI value to match the FQDN of your Exchange host.

Select Attribute Transformation.Verify the User.EmailAddress property is the correct value to send to represent the UPN in Active Directory. Note: If this value does not work you might consider creating a custom transform such as "{User.PrincipalName}@domain.com" which will generate a value of "name@domain.com".Note: Exchange explicitly requires the PrimarySid claim and will not sign a user in without the value matching the SID of the user. This attribute was added to the sync set recently and may require a minor configuration update to include it in the DirSync process. You can find the steps to update the synchronization below.You will need to provide this value manually as a custom attribute for a user if you have not configured Directory Synchronization.

Select Add Application

Select Permissions.

Select Add Groups.Select the Group you chose in Step 4.

Select Signing and Encryption. Select Copy.Save the Thumbprint value to a safe location as it will be used a little later to configure Exchange itself.

Select Download.Note: The signing certificate will be needed to be installed on the Exchange server(s).

Select Save changes.

Repeat the process with the Outlook Web Access application.Note that the signing certificate will be the same for both applications.

elect Directory Manager.

Select Groups.

Select the green plus sign in the bottom right corner.

Name the Group OWAUsers.Note: If you have other existing Groups for SSO users you can use one of these as well.

Select ADD GROUP.

Select SSO Manager.

Select the green plus sign in the bottom right corner.

Select the Catalog Icon.

Select Outlook Web Access.

Select Application is Enabled.

Select your desired Authentication Policy.

Select Protocol Setup and Update the Reply To URL value to match the FQDN of your Exchange host.Update the Audience URI value to match the FQDN of your Exchange host.

Select Attribute Transformation.

Verify the User.EmailAddress property is the correct value to send to represent the UPN in Active Directory. Note: If this value does not work you might consider creating a custom transform such as "{User.PrincipalName}@domain.com" which will generate a value of "name@domain.com".Note: Exchange explicitly requires the PrimarySid claim and will not sign a user in without the value matching the SID of the user. This attribute was added to the sync set recently and may require a minor configuration update to include it in the DirSync process. You can find the steps to update the synchronization below.You will need to provide this value manually as a custom attribute for a user if you have not configured Directory Synchronization.

Select Add Application

Select Permissions.

Select Add Groups.

Select the Group you chose in Step 4.

Configure Exchange

Connect to the Exchange Server(s) hosting OWA and ECP. Copy the downloaded certificate from the previous steps and double click to install. This certificate will need to be installed in the "Trusted Root Certification Authorities" store for the LOCAL MACHINE. This will allow ECP and OWA to trust the source of the certificate.